CVE-2024-46506
CRITICALCVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
Lifecycle Timeline
3Description
NetAlertX 23.01.14 through 24.x before 24.10.12 allows unauthenticated command injection via settings update because function=savesettings lacks an authentication requirement, as exploited in the wild in May 2025. This is related to settings.php and util.php.
Analysis
NetAlertX (formerly PiAlert) versions 23.01.14 through 24.x before 24.10.12 allow unauthenticated command injection through the settings update API. The savesettings function lacks authentication, enabling attackers to modify arbitrary configuration values and inject OS commands that execute on the host system.
Technical Context
The settings.php endpoint exposes a savesettings function without authentication checks. Certain configuration values are later passed to system shell commands during NetAlertX's scan operations. By injecting shell metacharacters into these configuration values, an attacker achieves arbitrary command execution with the privileges of the NetAlertX process (often root on network monitoring appliances).
Affected Products
['NetAlertX 23.01.14 through 24.10.11', 'PiAlert (predecessor)']
Remediation
Update to NetAlertX 24.10.12 or later. Never expose NetAlertX to the internet. Add authentication to the web interface using a reverse proxy. Run NetAlertX as a non-root user with minimal required capabilities.
Priority Score
Share
External POC / Exploit Code
Leaving vuln.today